The U.S. Department of Health and Human Services, a key part of the federal response to the fast-spreading coronavirus outbreak, was hit by an unspecified “cyber incident” on Sunday, officials said on Monday.
National Security Council spokesman John Ullyot said department networks “are functioning normally at this time.” He said officials were investigating.
Department spokeswoman Caitlin Oakley said there had been a “significant increase in activity on HHS cyber infrastructure” on Sunday but that the agency was “fully operational.”
Neither Ullyot nor Oakley gave other details as to the nature of the problem, but Bloomberg News, citing unnamed sources, said there had been multiple hacking incidents that appeared aimed at slowing the department’s systems.
On Twitter, a Bloomberg reporter said the incident involved “overloading the HHS servers with millions of hits” – an apparent reference to a denial-of-service, where a firehose of digital traffic is directed toward a website in a bid to knock it offline.
Such incidents are common and rarely bring down government sites. The department website appeared to be accessible on Monday.
Bloomberg tied the incident to the release of a statement by the National Security Council just before midnight on Sunday that denied rumors of a national quarantine, saying that text messages suggesting otherwise were fake. “There is no national lockdown,” said the statement, which was posted to Twitter.
It is not immediately clear how the denial of service would have been related to the fake quarantine rumors.
Reacting to the report, Senator Ben Sasse of Nebraska said Americans “should expect an increase in cyberattacks and stay vigilant” as the nation increasingly becomes absorbed in the fight against the virus.
The attack appears to be a largely unsuccessful attempt to overwhelm the site’s servers.
The US Health and Human Services Department was the victim of a cyberattack yesterday, the agency confirmed to Recode.
Bloomberg, which was first to report the attack on Monday morning, initially described it as a hack, but updates to its story removed the word “hack,” instead referring to it as “multiple incidents of a cyber intrusion.” A subsequent ABC News story said it was actually a distributed denial of service (DDoS) attack, which is a type of cyberattack but not a full breach. A DDoS attack is more consistent with Bloomberg’s description, which said the agency’s servers were overwhelmed with millions of hits designed to slow or shut them down. Both reports said the attack was not successful and that no data was accessed.
Caitlin B. Oakley, a spokesperson for the HHS, told Recode that there was a “significant increase in activity on HHS cyber infrastructure” but that it remained “fully operational.”
“Early on while preparing and responding to Covid-19, HHS put extra protections in place,” Oakley said. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities.”
Meanwhile, the National Security Council confirmed to Bloomberg that there was an “incident” but downplayed its impact, adding that “HHS and federal networks are functioning normally at this time.”
“We are aware of a cyber incident related to the Health and Human Services computer networks, and the federal government is investigating this incident thoroughly,” John Ullyot, NSC spokesperson, said in a statement to Bloomberg. “HHS and federal government cybersecurity professionals are continuously monitoring and taking appropriate actions to secure our federal networks.”
In a Monday morning tweet, Washington Post reporter Ellen Nakashima said that a Department of Homeland Security source told her the attack has been “overblown” and that the site never crashed or seemingly was in any danger of doing so.
Details of the cyberattack at HHS emerged at the same time as a flurry of reports about a foreign disinformation campaign designed to spread fear during the coronavirus pandemic. Three anonymous federal officials told the Associated Press that such an effort was underway, though they did not specify which foreign entity was leading the effort. Bloomberg also reported that a recent tweet referencing a misinformation campaign from the National Security Council was related to the attack:
But it’s not entirely clear how the two incidents are related. The NSC tweet appears to be a reference to a viral text message that says President Trump is on the verge of declaring a nationwide mandatory quarantine — a rumor that the White House has denied. It also seems as though such an action by the president would not be constitutional, since there’s little evidence that a DDoS attack would result in the spread of misinformation.
An attack on the HHS during the coronavirus pandemic is probably not a coincidence, and now is obviously one of the worst possible times for an elevated level of uncertainty and fear. According to Bloomberg, officials don’t yet know who is responsible but are assuming it’s a “hostile foreign actor.”
So far, it’s hard to know how seriously to consider the threat of further cyberattacks. DDoS attacks are common as cyberattacks go, because they are relatively easy. Where DDoS attacks that flood a server with messages can be performed with a single computer, a more powerful DDoS requires a network of computers or botnets. Over the course of the past decade, these types of attacks have become increasingly popular as tools of political protest or weapons of disruption. As long as the attacker has enough bots in their arsenal, they can temporarily devastate their victim websites, which may be forced offline for hours or even days — an outcome that would have been particularly harmful in this case but, fortunately, appears to have been avoided.
While it doesn’t look as though the HHS attack did more than spread fear, cybersecurity researchers have warned of several coronavirus-related phishing campaigns and malware posing as official emails or websites from health organizations. Those threats, along with the possibility of a foreign disinformation campaign, serve as additional evidence that we’re only just beginning to comprehend the scope of the coronavirus pandemic and its consequences.